Page Info
Description: It's like Certification but for assessors! An overview of FedRAMP Recognition, what it is, why it matters, what it costs, how it works, and when to do it and when not to do it. And a heads up that they have to meet all the rules in the rules section.
Purpose: Companies know what's up with FedRAMP Recognition and understand that there's more to the game than A2LA.
FedRAMP Recognition¶
Becoming a FedRAMP Recognized independent assessment service is a two-stage process. First, build and prove your inspection and quality management capability through A2LA. Then obtain FedRAMP approval and maintain it through high-quality work within the bounds of FedRAMP performance standards and A2LA requirements.
Start with A2LA¶
Before FedRAMP can recognize your organization, it must be accredited under A2LA’s Cybersecurity Assessment Body Program. , Your organization should expect to spend at least one year in this program before qualifying and being considered for FedRAMP Recognition. During this stage, A2LA will perform an initial assessment of your personnel’s technical competence as well as your organization’s compliance with ISO/IEC 17020 and FedRAMP-specific requirements within the A2LA R311.
Seek FedRAMP Recognition¶
Once A2LA completes its initial assessment and concludes with a favorable recommendation, FedRAMP reviews that recommendation and decides whether to approve your organization as a FedRAMP Recognized independent assessment service e. Once approved, your organization is listed on the FedRAMP Marketplace and you can officially perform initial or ongoing assessments for FedRAMP Certifications at the Class B, C, or D levels. Operate like a FedRAMP Recognized Organization
Your organization’s FedRAMP Recognition is tied to how the work is performed. Assessors are expected to verify that cloud service provider security materials meet FedRAMP requirements; validate that the cloud services operate the way those materials describe; attest to the quality and completeness of assessment deliverables; and clearly identify gaps, inconsistencies, and potential risks. Independence matters during and after assessment engagements. If your organization helped a cloud service provider prepare for an assessment, a different independent assessment service is required to perform the assessment.
Stay in Good Standing¶
Recognized Independent Assessment Services need a favorable A2LA annual review and a full on-site reassessment every two years to maintain recognition. The FedRAMP Authorization Act also requires annual declarations of foreign interest, influence, or control, plus updates within 48 hours after a change in foreign ownership or control. In practice, staying recognized means your team of assessors are meeting FedRAMP’s performance standards around deliverable quality, testing accuracy and completeness, assessment integrity, and maintaining the chain of custody of assessor-created documentation.